search

sas-fossdev / saspes

SAS Powerschool Enhancement Suite - A browser extension to improve the experience of using Powerschool at SAS.
GNU Affero General Public License v3.0
11 stars 7 forks source link

chore(deps): update dependency jszip to v3 [security] #322

Closed garykim-dev-renovate[bot] closed 10 months ago

garykim-dev-renovate[bot] commented 2 years ago

This PR contains the following updates:

Package Type Update Change
jszip devDependencies major ^2.6.1 -> ^3.0.0

GitHub Vulnerability Alerts

CVE-2021-23413

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.

CVE-2022-48285

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

Release Notes

Stuk/jszip ### [`v3.8.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v380-2022-03-30) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.7.1...v3.8.0) - Santize filenames when files are loaded with `loadAsync`, to avoid ["zip slip" attacks](https://snyk.io/research/zip-slip-vulnerability). The original filename is available on each zip entry as `unsafeOriginalName`. See the [documentation](https://stuk.github.io/jszip/documentation/api_jszip/load_async.html). Many thanks to McCaulay Hudson for reporting. ### [`v3.7.1`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v371-2021-08-05) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.7.0...v3.7.1) - Fix build of `dist` files. - Note: this version ensures the changes from 3.7.0 are actually included in the `dist` files. Thanks to Evan W for reporting. ### [`v3.7.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v370-2021-07-23) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.6.0...v3.7.0) - Fix: Use a null prototype object for this.files (see [#​766](https://togithub.com/Stuk/jszip/pull/766)) - This change might break existing code if it uses prototype methods on the `.files` property of a zip object, for example `zip.files.toString()`. This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object. ### [`v3.6.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v360-2021-02-09) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.5.0...v3.6.0) - Fix: redirect main to dist on browsers (see [#​742](https://togithub.com/Stuk/jszip/pull/742)) - Fix duplicate require DataLengthProbe, utils (see [#​734](https://togithub.com/Stuk/jszip/pull/734)) - Fix small error in read_zip.md (see [#​703](https://togithub.com/Stuk/jszip/pull/703)) ### [`v3.5.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v350-2020-05-31) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.4.0...v3.5.0) - Fix 'End of data reached' error when file extra field is invalid (see [#​544](https://togithub.com/Stuk/jszip/pull/544)). - Typescript definitions: Add null to return types of functions that may return null (see [#​669](https://togithub.com/Stuk/jszip/pull/669)). - Typescript definitions: Correct nodeStream's type (see [#​682](https://togithub.com/Stuk/jszip/pull/682)) - Typescript definitions: Add string output type (see [#​666](https://togithub.com/Stuk/jszip/pull/666)) ### [`v3.4.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v340-2020-04-19) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.3.0...v3.4.0) - Add Typescript type definitions (see [#​601](https://togithub.com/Stuk/jszip/pull/601)). ### [`v3.3.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v330-2020-04-1) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.2.2...v3.3.0) - Change browser module resolution to support Angular packager (see [#​614](https://togithub.com/Stuk/jszip/pull/614)). ### [`v3.2.2`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v322-2019-07-04) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.2.1...v3.2.2) - No public changes, but a number of testing dependencies have been updated. - Tested browsers are now: Internet Explorer 11, Chrome (most recent) and Firefox (most recent). Other browsers (specifically Safari) are still supported however testing them on Saucelabs is broken and so they were removed from the test matrix. ### [`v3.2.1`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v321-2019-03-22) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.2.0...v3.2.1) - Corrected built dist files ### [`v3.2.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v320-2019-02-21) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.1.5...v3.2.0) - Update dependencies to reduce bundle size (see [#​532](https://togithub.com/Stuk/jszip/pull/532)). - Fix deprecated Buffer constructor usage and add safeguards (see [#​506](https://togithub.com/Stuk/jszip/pull/506)). ### [`v3.1.5`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v315-2017-11-09) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.1.4...v3.1.5) - Fix IE11 memory leak (see [#​429](https://togithub.com/Stuk/jszip/pull/429)). - Handle 2 nodejs deprecations (see [#​459](https://togithub.com/Stuk/jszip/pull/459)). - Improve the "unsupported format" error message (see [#​461](https://togithub.com/Stuk/jszip/pull/461)). - Improve webworker compatibility (see [#​468](https://togithub.com/Stuk/jszip/pull/468)). - Fix nodejs 0.10 compatibility (see [#​480](https://togithub.com/Stuk/jszip/pull/480)). - Improve the error without type in async() (see [#​481](https://togithub.com/Stuk/jszip/pull/481)). ### [`v3.1.4`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v314-2017-08-24) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.1.3...v3.1.4) - consistently use our own utils object for inheritance (see [#​395](https://togithub.com/Stuk/jszip/pull/395)). - lower the memory consumption in `generate*` with a lot of files (see [#​449](https://togithub.com/Stuk/jszip/pull/449)). ### [`v3.1.3`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v313-2016-10-06) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.1.2...v3.1.3) - instanceof failing in window / iframe contexts (see [#​350](https://togithub.com/Stuk/jszip/pull/350)). - remove a copy with blob output (see [#​357](https://togithub.com/Stuk/jszip/pull/357)). - fix crc32 check for empty entries (see [#​358](https://togithub.com/Stuk/jszip/pull/358)). - fix the base64 error message with data uri (see [#​359](https://togithub.com/Stuk/jszip/pull/359)). ### [`v3.1.2`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v312-2016-08-23) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.1.1...v3.1.2) - fix support of nodejs `process.platform` in `generate*` methods (see [#​335](https://togithub.com/Stuk/jszip/pull/335)). - improve browserify/webpack support (see [#​333](https://togithub.com/Stuk/jszip/pull/333)). - partial support of a promise of text (see [#​337](https://togithub.com/Stuk/jszip/pull/337)). - fix streamed zip files containing folders (see [#​342](https://togithub.com/Stuk/jszip/pull/342)). ### [`v3.1.1`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v311-2016-08-08) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.1.0...v3.1.1) - Use a hard-coded JSZip.version, fix an issue with webpack (see [#​328](https://togithub.com/Stuk/jszip/pull/328)). ### [`v3.1.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v310-2016-08-03) [Compare Source](https://togithub.com/Stuk/jszip/compare/v3.0.0...v3.1.0) - utils.delay: use macro tasks instead of micro tasks (see [#​288](https://togithub.com/Stuk/jszip/pull/288)). - Harden base64 decode (see [#​316](https://togithub.com/Stuk/jszip/pull/316)). - Add JSZip.version and the version in the header (see [#​317](https://togithub.com/Stuk/jszip/pull/317)). - Support Promise(Blob) (see [#​318](https://togithub.com/Stuk/jszip/pull/318)). - Change JSZip.external.Promise implementation (see [#​321](https://togithub.com/Stuk/jszip/pull/321)). - Update pako to v1.0.2 to fix a DEFLATE bug (see [#​322](https://togithub.com/Stuk/jszip/pull/322)). ### [`v3.0.0`](https://togithub.com/Stuk/jszip/blob/HEAD/CHANGES.md#v300-2016-04-13) [Compare Source](https://togithub.com/Stuk/jszip/compare/2a07b3bc53114ca1f61faf5a16ae31c25bb70b5e...v3.0.0) This release changes a lot of methods, please see [the upgrade guide](http://stuk.github.io/jszip/documentation/upgrade_guide.html). - replace sync getters and `generate()` with async methods (see [#​195](https://togithub.com/Stuk/jszip/pull/195)). - support nodejs streams (in `file()` and `generateAsync()`). - support Blob and Promise in `file()` and `loadAsync()` (see [#​275](https://togithub.com/Stuk/jszip/pull/275)). - add `support.nodestream`. - zip.filter: remove the defensive copy. - remove the deprecated API (see [#​253](https://togithub.com/Stuk/jszip/pull/253)). - `type` is now mandatory in `generateAsync()`. - change the createFolders default value (now `true`). - Dates: use UTC instead of the local timezone. - Add `base64` and `array` as possible output type. - Add a forEach method. - Drop node 0.8 support (see [#​270](https://togithub.com/Stuk/jszip/pull/270)). ### [`v2.7.0`](https://togithub.com/Stuk/jszip/compare/v2.6.1...2a07b3bc53114ca1f61faf5a16ae31c25bb70b5e) [Compare Source](https://togithub.com/Stuk/jszip/compare/v2.6.1...2a07b3bc53114ca1f61faf5a16ae31c25bb70b5e)

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.